• Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard
  • Support
  • Login
  • Contact
  • Blog
  • Support
  • Login
  • Contact
  • Blog
SecurityScorecard SecurityScorecard
  • Products
    PRODUCTS
    • Security Ratings
      Identify security strengths across ten risk factors.
    • Security Data
      Get actionable, data-based insights.
    • Security Assessments
      Automate security questionnaire exchange.
    • Attack Surface Intelligence
      NEW
      On-demand contextualized global threat intelligence.
    • Automatic Vendor Detection
      Uncover your third and fourth party vendors.
    • Cyber Risk Quantification
      Translate cyber risk into financial impact.
    • Reporting Center
      Streamline cyber risk reporting.
    • SecurityScorecard Marketplace
      Discover and deploy pre-built integrations.
    SERVICES
    • Active Security Services
      Test your security controls.
    • Cyber Risk Intelligence
      Partner to obtain meaningful threat intelligence.
    • Digital Forensics & Incident Response
      Prepare to respond to any threat.
    • Third-Party Risk Management
      Reduce risk across your vendor ecosystem.
    BUY NOW
    • Compare All Plans
      Choose a plan that's right for your business.
    • Try Free Account
      Make informed decisions with confidence.
    • Buy Pro Now
      Add automated event responses.
    • Buy Business Now
      Expand on Pro with vendor management and integrations.
    • Request Enterprise Demo
      See the capabilities of an enterprise plan in action.
    icon__SSClogoMark icon__SSClogoMark

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Solutions
    BY USE CASE
    • Compliance
    • Cyber Insurance
    • Digital Forensics
    • Due Diligence
    • Enterprise Cyber Risk
    • Executive-Level Reporting
    • Incident Response
    • Regulatory Oversight
    • Third-Party Risk
    BY INDUSTRY
    • Critical Infrastructure
    • Enterprise
    • Financial Services
    • Government
    • Healthcare
    • Insurance
    • Retail & Consumer
    • Technology
    Help your organization calculate its risk
    View All Solutions
  • Customers
    OUR CUSTOMERS
    • Customer Overview
      Trusted by companies of all industries and sizes.
    • Peer Reviews
      Find out what our customers are saying.
    SUCCESS AND SUPPORT
    • Customer Success
      Receive award-winning customer service.
    • Support
      Get your questions answered by our experts.
    COMMUNITY
    • SecurityScorecard Connect
      Engage in fun, educational, and rewarding activities.
    • Connect Login
      Join our exclusive online customer community.
    icon__SSClogoMark icon__SSClogoMark
    Understand and reduce risk with SecurityScorecard.
    Free account sign up
  • Partners

    Partner Program Overview

    Partner with SecurityScorecard and leverage our global cybersecurity ratings leadership to expand your solution, deliver more value, and win new business.

    Learn more
    • Locate a Partner
      Access our industry-leading partner network.
    • Value-Added Resellers
      Enter new markets, deliver more value, and get rewarded.
    • Managed Service Providers
      Meet customer needs with cybersecurity ratings.
    • ISAC Partner Program
      Learn more about the industries we support and ISAC member benefits.
    • Technology Alliances
      Access innovative solutions from leading providers.
    • SCORE Portal Login
      Use the SCORE Partner Program to grow your business.
    • SecurityScorecard Marketplace
      Find a trusted solution that extends your SecurityScorecard experience.

    Understand and reduce risk with SecurityScorecard.

    Free account sign up
  • Resources
    RESOURCES
    • Resource Center
      Explore our cybersecurity ebooks, data sheets, webinars, and more.
    • SecurityScorecard Blog
      Read the latest blog posts published weekly.
    • Research & Insights Center
      Access our research on the latest industry trends and sector developments.
    • SecurityScorecard Academy
      NEW
      Complete certification courses and earn industry-recognized badges.
    TOOLS AND DOCUMENTATION
    • Free Security Rating
      Get your free ratings report with customized security score.
    • Product Release Notes
      Visit our support portal for the latest release notes.
    • Free Account Signup
      Start monitoring your cybersecurity posture today.
    • Chrome Extension
      NEW
      Show the security rating of websites you visit.
    • Assessments ROI Calculator
      Calculate the ROI of automating questionnaires.
    Trust begins with transparency. Take a look at the data that drives our ratings.
    Learn more
  • Company

    Working at SecurityScorecard

    Committed to promoting diversity, inclusion, and collaboration–and having fun while doing it.

    Join our team
    • About Us
      SecurityScorecard is the global leader in cybersecurity ratings.
    • Leadership
      Meet the team that is making the world a safer place.
    • Press
      Explore our most recent press releases and coverage.
    • Events
      Join us at any of these upcoming industry events.
    • Policy Insights
      Raising the bar on cybersecurity with security ratings.
    • Careers
      APPLY TODAY
      Come join the SecurityScorecard team!
    • Contact Us
      Contact us with any questions, concerns, or thoughts.
    • Trust Portal
      Take an inside look at the data that drives our technology.
    • Help Center
      We are here to help with any questions or difficulties.
Request a demo
SecurityScorecard SecurityScorecard

RESEARCH & INSIGHTS CENTER

A Deep Dive Into the APT28’s stealer called CredoMap

Executive summary: CredoMap APT28 Malware

CredoMap is a stealer developed by the Russian APT28/Sofacy/Fancy Bear that was used to target users in Ukraine in the context of the ongoing war between Russia and Ukraine. The malware was initially discovered by Google and CERT-UA. The threat actor weaponized a document to exploit the Follina (CVE-2022-30190) vulnerability that would result in downloading the .NET stealer. The malware aims to steal the credentials and cookies from Google Chrome, Mozilla Firefox, and Microsoft Edge. The data exfiltration is done by sending information to a possibly compromised C2 server via the IMAP email protocol.

Analysis and findings of CredoMap APT28 Malware

SHA256: 2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

The process retrieves the path of the current executable and then connects to a hard-coded C2 server (162.241.216.236) on port 143 (IMAP) using hard-coded credentials:

Figure 1
Figure 2

The malware creates a TcpClient object, obtains a client stream for reading and writing, and then reads the response from the server:

Figure 3

The binary performs the login operation and reads the response using the Read method:

Figure 4

It selects the INBOX folder using the SELECT command and performs multiple function calls that steal the browsers’ credentials and cookies:

Figure 5
Figure 6

The sample verifies if the file “\Google\Chrome\User Data\Default\Network\Cookies” exists in the Local AppData folder by calling the File.Exists function:

Figure 7

The File.Copy method is used to copy the above file to a new file called “cc”:

Figure 8

The malicious binary opens a connection to the Cookies database and executes an SQL query that extracts some fields:

Figure 9

The process opens and reads the file called “Local/Google/Chrome/User Data/Local State” using File.ReadAllText. It extracts the Base64-encoded random key that is encrypted with DPAPI from JSON([“os_crypt”][“encrypted_key”]). The key is Base64-decoded and decrypted via a function call to ProtectedData.Unprotect:

Figure 10

The binary creates an AESEngine object, an AEADParameters object containing the decrypted AES-128 key and the nonce (12 bytes), and calls the GcmBlockCipher.Init function with a “False” parameter (decryption operation):

Figure 11

The “encrypted_value” extracted from the Cookies database is decrypted using the ProcessBytes and DoFinal methods:

Figure 12

The resulting values are stored in a dictionary that has the keys as “host_key” with values “name=<Decrypted encrypted_value>;”, as highlighted in the figure below.

Figure 13

Finally, the process serializes the dictionary to a JSON string using JsonConvert.SerializeObject:

Figure 14

The data exfiltration occurs by issuing a valid IMAP APPEND command. The “From” field is set to the username obtained from the Environment.UserName property, the “Subject” field is set to the current date and time on the computer obtained from the DateTime.UtcNow property, and the JSON string is also included in the command (see figure 15).

Figure 15

The malware verifies if the file “\Google\Chrome\User Data\Default\Login Data” exists in the Local AppData folder using File.Exists:

Figure 16

The File.Copy function is utilized to copy the above file to a new file called “cp”:

Figure 17

The binary opens a connection to the Login Data database and executes an SQL query that extracts the “action_url”, “username_value”, and “password_value” fields:

Figure 18

The malicious process reads the file “Local/Google/Chrome/User Data/Local State” found in the AppData directory and deserializes it using the JsonConvert.DeserializeObject method:

Figure 19
Figure 20

The sample extracts the Base64-encoded random key that is encrypted with DPAPI from [“os_crypt”][“encrypted_key”]. The key is Base64-decoded and decrypted via a function call to ProtectedData.Unprotect:

Figure 21

The encrypted “password_value” field is decrypted using a function that will be explained below:

Figure 22

The first 12 bytes after skipping 3 bytes (version tag) from “password_value” represent the AES nonce, and the rest of the information is the ciphertext, as displayed in the figure below.

Figure 23

As in the first case, the “password_value” field is decrypted by calling the ProcessBytes and DoFinal functions:

Figure 24

However, not all the passwords might be encrypted using AES-GCM. In the case of older versions of Chrome, the threat actor tries to decrypt the passwords using the ProtectedData.Unprotect API:

Figure 25

As we can see in figure 26, the process computes a string containing “action_url”, “username_value”, and the decrypted “password_value” field that was obtained using the 1st method of decryption or the 2nd method of decryption, respectively:

Figure 26

The credentials exfiltration occurs, in the same way, using an IMAP command to the C2 server.

The binary checks if the directory “Mozilla\Firefox\Profiles\” can be located in the AppData folder (see figure 27).

Figure 27

The malware is looking for a file called “cookies.sqlite” in the profile folders. The “cookies.sqlite” database is copied to a file called “fc”:

Figure 28

The sample runs the “SELECT * FROM moz_cookies” SQL query to retrieve the Firefox cookies:

Figure 29

A new dictionary is created having the keys as “host” with values “name=value;”, as shown in the figure below.

Figure 30

The dictionary is serialized to JSON and will be exfiltrated via IMAP.

The executable verifies if the following files can be identified in the profile folders:

  • logins.json

  • key4.db

  • cert9.db

  • signons.sqlite

  • key3.db

  • cert8.db

Figure 31

If any of the above files exist, it is copied to the current directory, and its content is encoded using Base64. The file location and the Base64-encoded content are exfiltrated using the IMAP protocol. Finally, the newly created files are deleted using File.Delete:

Figure 32

The File.Exists function is used to check if the file “\Microsoft\Edge\User Data\Default\Login Data” exists in the Local AppData directory:

Figure 33

The above file is copied to a new file called “ep”, as highlighted in figure 34.

Figure 34

The sample executes the following SQL query that extracts usernames and encrypted passwords from the “logins” table:

Figure 35

The “password_value” field is decrypted by calling the decrypt function that was also used to decrypt the Chrome credentials:

Figure 36

In the case of older versions of Microsoft Edge, the process tries to decrypt the passwords using the ProtectedData.Unprotect function:

Figure 37

The malware creates a string containing “action_url”, “username_value”, and the decrypted “password_value” field that was obtained using one of the two decryption methods:

Figure 38

The executable verifies if the file “\Microsoft\Edge\User Data\Default\Network\Cookies” can be found in the Local AppData folder (see figure 39).

Figure 39

File.Copy is used to copy the above file to a file called “ec”:

Figure 40

The following SQL query is run by the malware, which extracts some fields from the “cookies” table:

Figure 41

The binary extracts the Base64-encoded key that was encrypted with DPAPI from “%LocalApplicationData%\Microsoft\Edge\User Data\Local State”. The key is decrypted via a function call to ProtectedData.Unprotect:

Figure 42

The “encrypted_value” field is decrypted using the AES key extracted above by calling the ProcessBytes and DoFinal methods:

Figure 43

The function result is a dictionary containing the relevant information that is serialized using JsonConvert.SerializeObject:

Figure 44

All the files that were copied to the current directory are deleted using the File.Delete function:

Figure 45

The malicious process sets Normal attributes for a file called “SQLite.Interop.dll,” which Malwarebytes found that it’s downloaded from the C2 server along with the initial executable. The DLL file is deleted using File.Delete and another deletion function implemented by the malware:

Figure 46

The implementation of the deletion function consists of creating a cmd.exe process that deletes the DLL file shown above:

Figure 47

The process deletes the initial executable and then exits:

Figure 48




Indicators of Compromise

C2 server

162.241.216.236

SHA256

2318ae5d7c23bf186b88abecf892e23ce199381b22c8eb216ad1616ee8877933

Processes spawned

cmd.exe “/C Del <Files>”

YARA rule to detect the threat

rule CredoMap_APT28

{

meta:

author = “Vlad Pasca – SecurityScorecard”

Date = “2022-09-16”

strings:

$s1 = “\\cookies.sqlite” fullword wide

$s2 = “SQLite.Interop.dll” fullword wide

$s3 = “Subject:” fullword wide

$s4 = “$ LOGIN” fullword wide

$s5 = “/C Del” fullword wide

condition:

(uint16(0) == 0x5A4D) and (4 of ($s*))

}

Indicators of Compromise

Please contact [email protected] for IoCs associated with CredoMap, or with any questions or comments.

Threat Intelligence with SecurityScorecard

SecurityScorecard’s Threat Intelligence could be the competitive advantage your company needs to stay ahead of today’s fast-moving threat actors. If your company would like to access the expertise of SecurityScorecard’s Threat Research and Intelligence team, contact us today.



Related articles

Don’t Fight Alone Incident Response Template

Incident Response Template Download this free template for outlining the steps SecurityScorecard will take alongside you in the event of

Read More »
03/24/2023
reduce cyber risk report
Cyber Insurance

Protected: Reduce Cyber Risk with the predictive power of security ratings

There is no excerpt because this is a protected post.

Read More »
03/21/2023

Case Study: UNICC

As one of Japan’s leading networking and security technology integrators, Network Value Components (NVC) is responsible for provisioning, implementing, and maintaining the software and security solutions its clients need to stay safe.

Read More »
03/16/2023
Return to RESOURCES
Products
Solutions
Customers
Marketplace
Partners
Resources
Company
Trust Portal
Security Ratings
Login
Blog
Contact
Careers

SecurityScorecard
Tower 49
12 E 49th St
Suite 15-100
New York, NY 10017

[email protected]

United States: (800) 682-1701
International: +1(646) 809-2166
Social-linkedin Social-facebook Twitter Instagram Youtube
  • Terms of Use
  • Privacy Policy
  • Patents
  • Cookies
© 2022 SecurityScorecard